Google Apps (Workspace) email failing? How to check DKIM and update in your DNS settings if needed.

When I travel every bit of IT in our family starts to malfunction. On a recent trip this included Emily's emails, they were intermittently rejected by Gmail recipients. Once I was home I had to dig up old knowledge; I found the answers in prior blog posts (see references below). It looks like something wiped out our Dreamhost DNS DKIM records a few weeks ago [1]. 

It's hard these days to do email with anything that's not full hosted on the big three.

The refs have more detail but here's the outline of the process:

1. In Google Workspace - Apps - Gmail - Authenticate email get the DKIM text value. You will probably have to generate a new record.
2. In Dreamhost control panel manage websites click on DNS settings for domain and enter google._domainkey as host and the TXT record value. (DH UI makes this look like it appends a suffix to this but it really doesn't.)
3. Once DH says the record has propagated return to the Admin console and click "start authentication"

It can take 48 hours for this to fully propagate but a few minutes after adding the key it did work when I validated as below.

To see if DKIM is working follow the process Google outlines (Usual automated testing services don't work with the way Google Apps do DKIM -- the selector won't work):

Send an email message to someone who is using Gmail or Google Workspace. (You can't verify DKIM is on by sending yourself a test message.) 

In the message header, look for Authentication-Results. Receiving services use different formats for incoming message headers, however the DKIM results should say something like DKIM=pass or DKIM=OK.

If the message header doesn't include a line about DKIM, messages sent from your domain aren't signed with DKIM.

When I looked at view original sent form Emily's account to my personal gmail account I didn't see DKIM=pass or DKIM=OK but I did see two entries starting with:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; 

More importantly when I scrolled up a bit (this is in Gmail View Original) I saw a header that's interpreting the email headers (I think this might be a newer feature):

Message ID ....

Created at: Mon, Mar 13, 2023 at 2:59 PM (Delivered after 12 seconds)

From: Emily ....

To: John ...

Subject: test DKIM content

SPF: NEUTRAL with IP ...

DKIM: 'PASS' with domain ...

You can also paste the "original message" headers into toolbox.googleapps.com/apps/messageheader/. That gave similar results.

When I tested on a second family domain that did NOT have DNS TXT entry for DKIM it showed as DKIM 'PASS" in the email header interpretation with an odd domain string -- BUT in Google Apps it showed as NOT authenticating. I cannot explain this. 

Once I updated the DNS TXT DKIM entry for that domain and allowed a few minutes for propagation it did show in the Google Apps admin console as authenticating with DKIM and the headers showed the correct domain name.

DH's note on SPF records says they cannot be updated if we are using Google Workspace. This is new since 2018 and I think that's correct.

- fn -

[1] Eons ago every Dreamhosted domain had a free option to add Google Apps (now Google Workspace). That went away and earlier this year Google said they would discontinue the legacy free Google Apps. That was a thrash but on the edge of doom Google relented. I figured a DH script wiped the records but their first tier support said they hadn't done anything and instead referred to Google automated scripts that might change their DNS records (!).

- refs -

• Google - turn on DKIM for domains
• Google - troubleshoot DKIM issues
• Dreamhost DKIM records
• Check DKIM and SPF records
• Check DKIM records
• DKIM for Google Apps 2011 (easier then because we used a DNS service tied to Google. There's an analogous fix for Google Apps 2023 if you use their DNS. Yeah, I know they don't call it Google Apps any more.)
• Dreamhost SPF 2018 (looks like they were screwing up DKIM settings back then as well)
• How to get Google to DKIM authenticate your domain (2022)
• Dreamhost SPF records: "If you're using Google Workspace, you cannot update the SPF record. The field remains uneditable."

Managing sync issues in the Apple Notes app - what I do

I use Apple's Notes app fairly often. It's come a long way from early days but it has its share of bugs. The two I run into most often are formatting bugs and especially sync failures.

Formatting bugs seem to be related to frequent edits to a note using Notes app styles and character formats. Sometimes editing stops working in odd ways. I have to create a new Note and select all/paste into the new Note.

Sync bugs are more common and more serious. There are two kinds of sync bugs - global application sync failure and note specific failure.

Global sync means no notes are synchronizing and perhaps no iCloud content. I've seen that with iCloud password changes. I recommend never changing an iCloud password, Apple really doesn't want it to change. I had to recently because trying to use the Stanza calendar on the Saint Paul Saints web site with Apple integration triggered an instant Apple account lockout and mandated password reset (be afraid).

If iCloud sync doesn't work after a password change and iCloud seems to be properly authenticated first try restarting your iPhone or Mac. Then, on an iPhone, try sending an iCloud email. That last may require you to YET AGAIN enter your iCloud password. With luck the credential problem may resolve for all iCloud functions.

Single note sync failure may be something I see because I'm using Notes across the latest version of iOS and Mojave. I suspect it's actually fairly common even on Monterey/iOS though.

If it's just one note that won't sync between two devices you can check out Apple's web client view of Notes. That will tell you which device is off but it doesn't help with the fix. As far as I can tell there's no sync failure resolution built into Apple Notes. If Apple's sluggish iCloud sync means you have edited one note on two devices when they weren't in full sync then that particular note will no longer sync. No error messages, no offer to sort things out, no creation of two versions, it just quietly sits in isolation.

The workaround is to create a new note and confirm that syncs. Then on each separate device move the content from the now isolated notes into the new syncing note. Then delete the notes that didn't sync on each device.

Synchronization is a problem some seem to have solved (Simplenote for example), but Apple is not among this elite group.

Apple Watch Sleep App: Reinstallation and setup

My son has an Apple Watch SE running watchOS 9.3.1 (current). I'd never touched an Apple Watch but we wanted to get some data on sleep issues so I dug into it a bit. It turns out that the Sleep app is a frequent topic of Apple Discussion posts. I'll summarize what I learned here in case Google miraculously works and it's helpful to someone else.

References that were actually helpful:

• Apple Watch User Guide - Track your sleep
• Apple Track Sleep with Apple Watch and iPhone 
• Identify Apple Watch 
• Restoring Sleep App (reddit): "Open https://apps.apple.com/us/app/sleep/id1505627600 on your phone, then share/text the link to yourself and open it on your apple watch, then download the sleep app"

Key discoveries

1. It's not obvious which Apple Watches support the Sleep app. It seems to work on any device that can run the latest OS. His SE qualified.
2. It's possible to delete the Sleep app from Apple Watch. His didn't have it; he may have accidentally deleted the app. App Store search is utterly broken so it's hard to find it to reinstall. Reddit had directions (see above) that worked.
3. Once you have the Sleep app reinstalled you need to follow the directions on Apple Track Sleep with Apple Watch and iPhone carefully including this part: "If you paired your Apple Watch after completing Sleep setup, you can still turn on Track Sleep with Apple Watch. In the Watch app on your iPhone, tap the My Watch tab, then tap Sleep. Then tap Track Sleep with Apple Watch to turn on this setting."
4. The reports are well done but they are only viewable on the iPhone or Apple Watch. There's no export or print function [1]. Third party apps may have more capabilities, but the App Store is a sewer so I didn't want to wade into it.  Instead I did a bunch of screenshots from his iPhone and used Picsew to stitch them together and Preview to create a PDF with the reports.

- fn -

 [1] You can export all heath data as XML. This produced a 180MB file that BBEdit was able to open. It's not helpful.

Family member not getting iCloud+ family subscription for 2TB storage - "Use Family Storage" in Settings (Family Sharing)

A family member was seeing only the default 5GB of storage. I prepared to the usual fixes like restart phone, upgrade iOS, leave and restore iCloud and, finally, remove from family and add back in.

Turned out the fix was much simpler as of iOS 16.3.

Settings:Apple ID: iCloud: Manage Account Storage: Use Family Storage.

After I selected this option they got access to our 2TB and the "Use Family Storage" option went away. Instead they had "Change Storage Plan". Tapping that gave the option to leave Family Storage.

Apple's docs mention something about an iMessage going to family members to give them the option to use Family Storage. I suspect that didn't get attention.

Once I'd fixed the problem I used the new keywords to search for Apple documentation. Google found nothing (though it's really bad now) on the Apple site except a post from 2 days ago. So this might be newish.

Update 1/17/2024 

In the 2024 version of iOS and macOS (Sonoma) a friend ran into a similar issue. The family organizer had purchased the 2TB plan but my friend was only seeing the 200GB he paid $1 a month for. This time we found an Apple support document on the problem. If someone is paying for anything beyond the default free storage they have to manually switching into the family plan and end their subscription. This is now found on an iPhone in the newish Settings:Family:Subscriptions.

1. Go to Settings > Family.
2. Tap Subscriptions.
3. Tap iCloud+.
4. Tap Use Family Storage.

Also, when updating this, I discovered a 2017 post I'd done where I ran into a similar problem. That might be worth a look too.

Using IFTTT Webhooks to post RSS feed data to Mastodon (requires pro account)

Update 2/19/2024: I did this using my free IFTT account but per IFTT "Starting February 15th, 2024, webhooks Applets will be disconnected for free users". Currently a subscription is $35 a year but of course that may go up.

------------ original --------------

Eleven years ago I wrote about using the IFTTT service to create tweets from the RSS feed of my Pinboard shares (which are written for myself and for Emily; there are now over 49,000 entries).  

Back then I was continuing a kind of sharing I started with Google Reader Social (details) and continued with App.net after Social died.

Now Twitter is dying, but, incredibly, Maciej Ceglowski's Pinboard endures. I've migrated to Mastodon (on an instance for veterans of App.net!) so now I use IFTTT (still free for my use) to create mastodon posts tagged #jgshare from that old Pinboard RSS.

I'm writing now to share a bit of how that works. I started with a recipe first published in 2017 and updated in 2022 by KelsonV. That recipe uses IFTTT web hooks: I tweaked it a bit to get the output I wanted:

    Descriptive Title

    URL

    Commentary

The recipe is a bit hard to follow but the key steps are:

1. In Mastodon Profile Preferences Development create an "application" with website "https://ifttt.com/" and Scope of write:statuses. After it's created copy the access token.
2. In IFTTT create a rule based on the RSS feed of your source (in my case Pinboard shares with a particular tag). My rule starts with IF "New Feed Item"
3. The action part of the rule is a web request"
1. URL: https://appdot.net/api/v1/statuses
2. Method: POST
3. Content type: application/x-www-form-urlencoded
4. Authorization: Bearer 1234567890 (replace 1234... with your Mastodon access token)
5. Body as below.

KelsonV's post has additional details and screenshots.

The trick in the body was to get line spaces between Title, URL and Commentary. This worked:

status = 

<<<{{EntryTitle}}

>>>

<<<{{EntryUrl}}

>>>

<<<{{EntryContent}}

>>>

#jgshare

When I first ran this I'd get errors in my IFTTT log but the rule worked successfully. The errors went away.

Switching from Comcast to Century Link - including how to return Xfinity equipment

Seven years ago we switched from CenturyLink to Comcast/Xfinity. At the time I thought CenturyLink was kaput. Today we switched back; I'm sharing some notes on what to expect.

We had good service from Xfinity, but over the past year we've been hitting their 1.2TB data cap. I'm sure I could call Xfinity, threaten to leave, and negotiate transition to their 'unlimited' tier and get a price reduction as well.  I could do that, but the process irritates me.

Happily Century Link has survived, we are in their fiber area, and their fiberoptic GB no-cap service is apparently about what Xfinity charges us. I say apparently because we live in the surprise-fee era. You don't know what you pay until you get the bill. [Update: Century Link quoted me $70 and I'm honestly stunned to discover that is exactly the bill.]

CenturyLink customer service seems as abysmal as ever but local reports tell me the fiber is far more reliable than their old tech.

So we switched. A few notes on the process:

1. I began by turning off Xfinity automatic bill payment. I called and confirmed we had month-to-month no-contract and that final bill would be prorated.
2. CenturyLink signup was simple but their process is weak. They insisted on contacting us by phone;  it's a miracle we were able to catch the call and respond. A snow storm delayed installation; they didn't tell us the install was canceled and they appeared the next day unannounced. I'm retired so I was able to make that work. The web site does supposedly allow formal rescheduling but overall that's a C- performance. The tech did a nice job on the install, it was a direct shot from the pole to where our Comcast modem was. Since we have an Eero network he just had to swap a cable and we were on the new service.
3. After 3 days of use I called 800-266-2278 to cancel Xfinity/Comcast. Cancelation didn't take too long, I had to say "representative" a couple of times to bypass the vmail menu. The Comcast rep sounded depressed but typed on and on trying to complete the exit process. They were unsure how to return the hardware by UPS but I found the Comcast support article (which is flawed, more below)
4. Xfinity prorates the final bill. It's not clear if they ever actually charged me for the one time we went over their 1.2TB data cap.
5. Century Link charged me on 12/27/22 though service didn't start until 1/6/2023 (December 27, 2022 - January 26, 2023). On Jan 4 there was a 0$ bill for equipment and installation. My next bill is due 2/4 so the amounts do even out. The default setup is autopay to my credit card. I'll see if that generates an extra fee.
6. It's not obvious on the web site how one sees a bill. The bill date is a hyperlink. Shockingly the bill appears to be exactly the $70 they claimed; that's what appears on my credit card. Xfinity charged me $91 so I'm unexpectedly saving money.

The Xfinity requirement return is done through xfinity.com/returns -- but the directions are buggy. The easiest option is to bring the hardware to a comcast/xfinity store but I opted to drop off at UPS. Follow the prompts to create a mailing label but be ready to conclude without, you know, the mailing label. To print the label go to customer.xfinity.com/devices/returns/status and you'll see how to print. Box up the xfinity hardware in anything, put label inside and outside box and drop off at a UPS store.

The CenturyLink model is a C4000XG; that site has an online user guide. I couldn't find a manual for it on the CenturyLink site but I did find one online. https://192.168.0.1 worked to get to the admin screen, you need the CenturyLink sticker with the Admin password. You will certainly want to change the passwords to something tappable. The device web server doesn't render properly in (old) Mojave Safari so I used Chrome.

I'll update this post if I find any other surprises in the process.

Update 2/5/2023

I dropped the xfinity router off at the UPS store with the return label and a week later I got an xfinity email saying they had the router.

After we discontinued service my Xfinity login stopped working. There was no error message, it would let me enter my password but then request my password again. I wondered how I'd pay my last bill but a paper statement came in the mail with a credit on it. We pay in advance so there's credit for the unused part of the month. It does appear they never dinged me for my data overage. The statement said that in 30 days they would send me a check for whatever is left in the account, but in fact they credited part of my last payment back to the credit card I used.

Family Sharing: all charges go to Family Organizer - UNLESS there's an Apple Account balance

One of the drawbacks of Family Sharing is all charges go to the Family Organizer. Even if a family member has a payment method stored in their Apple Account it won't be used. When I look at my son's purchase history in iTunes I see that his recent music purchases have been billed to me. Apple's Support article is clear about this:

Which payment method is charged for purchases that family members make?

When Purchase Sharing is turned on, everyone's purchases bill to the family organizer's payment method.* If there's an issue with the payment method, the family organizer can update their payment method or add a new one.

If you're the family organizer and you don't want to share a payment method with your family, turn off purchase sharing. When purchase sharing is turned off, you can continue to share subscriptions like Apple TV+ and Apple Arcade. When Purchase Sharing is turned off, everyone must use their own payment method.

But this isn't true. My son's recent charges didn't appear on my credit card even though, as noted above, his purchase history says I paid for them.

It turns out there's an asterisk in the above paragraph. I think that was added recently. The asterisk points to a different support article:

Some purchases aren’t charged to your Apple Account balance

If you're in a Family Sharing group, purchases that you make are charged to your personal Apple Account balance. If you don't have enough Apple Account balance to pay for the purchase, the remainder is charged to the family organizer if purchase sharing is turned on.

Yes, that excerpt is internally contradictory! Ignore the heading, the key information is sort-of here: "If you're in a Family Sharing group, purchases that you make are charged to your personal Apple Account balance."

Basically the Apple Account balance is always used first regardless of Family Sharing status. Whatever exceeds that balance is charged to the primary payment method; for a family the primary payment method is always the credit card of the Family Organizer.

So this suggests that if you want charges to go to a family member rather than a family member, you use their primary payment method to create an Apple Account balance and then enable auto-reload.

Even when the payment is through the personal Apple Account balance the Purchase history will show that the purchase was by the Family Organizer. That is a bug. (Apple's purchase history records are a dumpster fire.)

An Apple Account balance can be created through a gift card. But what about using a family member's debit card to add money to their Apple Account? What about using Apple's Auto-reload feature?

Great questions! There's not any good documentation. I don't yet know the answer to the first question, but I did discover what happens with Auto-reload. Even if the family member's debit card is associated with their account the auto-reload will use the Family Organizer's payment method. (In my testing it took over 2 weeks for the first auto-reload charge to actually show on a credit card statement.)

So, what does this mean for those of us who would really like to have family members pay directly for their purchases? So far, not much. If you use auto-reload it may be easier to track the auto-reload payments and not worry about the per-item charges, but that's a small benefit.

That's all I know so far!